Instructions relating to risk management and internal control at Norges Bank
Laid down by the Ministry of Finance on 28 June 2022, pursuant to Section 2-4, fifth paragraph, Section 4-4, second paragraph and Section 4-5, third paragraph, of the Act of 21 June 2019 No. 31 on Norges Bank and the Monetary System etc, and pursuant to Section 3, second paragraph and Section 10, first paragraph, of the Act of 21 December 2005 No. 123 on the Government Pension Fund.
Chapter 1. Introductory provisions
Section 1. Scope
These instructions apply to Norges Bank, including the operations of its subsidiaries.
Section 2. Proportionality
Risk management and internal control shall be proportionate to the nature, scope and complexity of Norges Bank’s operations.
Chapter 2. Responsibility for risk management and internal control
Section 3. Executive Board
(1) In accordance with Section 2-4 of the Central Bank Act, the Executive Board shall ensure sound, effective and efficient organisation of Norges Bank and that its risk management and internal control are appropriate. The Executive Board shall take into account differences and peculiarities in the tasks for which day-to-day management is responsible (cf Sections 2-11 and 2-13 of the Central Bank Act) and ensure the integrity of Norges Bank’s risk management and internal control systems as a whole.
(2) The Executive Board is responsible for ensuring that risk management and internal control systems are established, complied with and monitored, and that this work is evaluated at least once a year.
Section 4. The governor of Norges Bank and the general manager of Norges Bank’s management of the Government Pension Fund Global
(1) In accordance with guidelines from the Executive Board, the general managers shall establish, operate and monitor an adequate risk management and internal control system within each of the areas of responsibility
(2) Changes in risk shall be monitored on a continuous basis. The general managers are responsible for providing relevant and timely information to the Executive Board so that it can perform its tasks under the Central Bank Act.
Section 5. Outsourcing
(1) Norges Bank also bears the responsibility for risk management and internal control in relation to outsourced operations. This responsibility shall be established in written agreements. The agreements shall ensure that the Bank’s bodies and control functions are entitled to inspect and monitor outsourced operations, whether the operations are outsourced to subsidiaries or external contractors. The right of inspection shall facilitate adequate implementation and reporting pursuant to Chapter 3.
(2) Norges Bank shall ensure adequate competence to manage outsourced operations. Outsourcing may not take place if it impedes sound risk management and internal control.
Chapter 3. Implementation of risk management and internal control
Section 6. Implementation of risk management
Risk at Norges Bank shall be monitored and kept at an acceptable level. The Executive Board is responsible for providing necessary and proportionate risk assessments of the organisation also before new measures are implemented. The systems for risk management and internal control shall be sufficient for managing these risks in a sound manner.
Section 7. Implementation of internal control
The implementation of risk management and internal control shall be proportionate and adapted to the organisation of the individual area of responsibility.
Section 8. Documentation, reporting and evaluation
(1) Assessments made under Sections 6 and 7 shall be documented. This documentation shall be retained for a minimum of three years.
(2) On the basis of internal documentation and reporting and at least once per year, the Executive Board shall conduct an integrated systematic assessment of the risk situation at Norges Bank and of whether risk management and internal control have been implemented in a sound manner. The assessments shall be submitted to the Supervisory Council. Assessments regarding the management of the Government Pension Fund Global shall also be submitted to the Ministry of Finance.
Chapter 4. Risk control and compliance, Internal Audit and Audit Committee
Section 9. Risk control and compliance
(1) Norges Bank shall have a risk control and compliance function for each of the general managers’ areas of responsibility, with procedures for identifying and limiting the risk that the Bank will not meet its obligations under current rules.
(2) The risk control and compliance functions shall have a manager that reports to its general manager and, in special circumstances, to the Executive Board. The risk and compliance functions shall have adequate competence and resources.
(3) The general managers shall obtain the Executive Board’s approval prior to appointing or dismissing the manager of the risk control and compliance functions.
(4) The Bank shall regularly assess whether risk control and compliance functions are sufficiently effective.
Section 10. Internal Audit
(1) Internal auditing shall be organised and conducted in line with recognised standards.
(2) The director of Internal Audit shall be appointed and dismissed by the Executive Board. The director of internal audit is entitled to attend Executive Board meetings.
(3) The Executive Board shall approve Internal Audit resources and plans on an annual basis.
(4) Internal Audit’s reports during the year shall be submitted to the Executive Board. Internal Audit shall issue a report to the Executive Board on risk management and internal control at least once per year.
(5) Norges Bank’s employees shall provide Internal Audit with all information and access to all information requested by Internal Audit.
Section 11. Audit Committee
(1) The Audit Committee shall serve as a preparatory body for the Executive Board on matters including the Executive Board’s supervision, risk management and internal control.
(2) The Executive Board may lay down principles for the Audit Committee’s work. The Audit Committee shall be able to inspect any activity or situation related to the Bank’s operations and obtain any necessary information.
Chapter 5. Entry into force etc.
Section 12. Entry into force etc.
These Instructions enter into force on 1 July 2022. The Regulation of 17 December 2009 No. 1630 on risk management and internal control at Norges Bank is repealed at the same time as the entry into force of these Instructions.